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1 . A method for preventing denial of service attacks against Hypertext Transfer Protocol 
(HTTP) servers, comprising: 

receiving a HTTP request from a subscriber using a first communication network 
coupled to at least one other communication network, said request including a 
Universal Resource Locator (URL); 

receiving a profile for said subscriber; 

filtering said request to determine whether said subscriber is authorized to make said 

request based upon said profile; and 
forwarding said request to said at least one other communication network when said 

subscriber is authorized to make said request. 

2. The method of claim 1 wherein said filtering further comprises: 

updating a client HTTP request count when said request is a HTTP "GET" request or 

a HTTP "POST" request; and 
applying HTTP server attack preventative measures when said request count exceeds 

a maximum HTTP request count. 

3. The method of claim 2 wherein said applying further comprises setting an alarm 
when said request count exceeds said maximum HTTP request count. 
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4. The method of claim 3, further comprising sending said alarm to an Internet Service 
Provider (ISP) associated with said subscriber. 



5 5. The method of claim 2 wherein said applying further comprises dropping the data 

packet containing said request when said request count exceeds said maximum HTTP 
request count. 

6. The method of claim 2 wherein said applying further comprises shutting down the 
10 account used to access said first communication network when said request count 
exceeds said maximum HTTP request count. 



7. The method of claim 6 wherein said applying further comprises disabling HTTP 
15 requests for a hold-down period when said request count exceeds said maximum 

HTTP request count. 

8. The method of claim 7, further comprising increasing said hold-down period each 
time said HTTP count exceeds said maximum HTTP request count. 

20 

9. The method of claim 8 wherein said hold-down period increases exponentially each 
time said HTTP count exceeds said maximum HTTP request count. 



25 



EL575422261US Docket No. CISCO-3294 

10. The method of claim 1 wherein said filtering further comprises indicating said request 
is unauthorized when the HTTP request frequency exceeds a maximum HTTP request 
frequency. 

5 

1 1 . The method of claim 1 wherein said filtering further comprises indicating said request 
is unauthorized when the frequency of HTTP requests for said URL exceeds a 
maximum HTTP request frequency. 

10 12. A program storage device readable by a machine, embodying a program of 

instructions executable by the machine to perform a method to prevent denial of 
service attacks against Hypertext Transfer Protocol (HTTP) servers, the method 
comprising: 

receiving a HTTP request from a subscriber using a first communication network 
15 coupled to at least one other communication network, said request including a 

Universal Resource Locator (URL); 
receiving a profile for said subscriber; 

filtering said request to determine whether said subscriber is authorized to make said 
request based upon said profile; and 
20 forwarding said request to said at least one other communication network when said 
subscriber is authorized to make said request. 

13. The program storage device of claim 12 wherein said filtering further comprises: 
updating a client HTTP request count when said request is a HTTP "GET" request or 
25 a HTTP "POST" request; and 
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applying HTTP server attack preventative measures when said request count exceeds 
a maximum HTTP request count. 



5 14. The program storage device of claim 13 wherein said applying further comprises 

setting an alarm when said request count exceeds said maximum HTTP request count. 

15. The program storage device of claim 14, further comprising sending said alarm to an 
Internet Service Provider (ISP) associated with said subscriber. 

10 

16. The program storage device of claim 13 wherein said applying further comprises 
dropping the data packet containing said request when said request count exceeds said 
maximum HTTP request count. 

15 17. The program storage device of claim 13 wherein said applying further comprises 

shutting down the account used to access said first communication network when said 
request count exceeds said maximum HTTP request count. 

20 18. The program storage device of claim 17 wherein said applying further comprises 
disabling HTTP requests for a hold-down period when said request count exceeds 
said maximum HTTP request count. 

19. The program storage device of claim 18, further comprising increasing said hold- 
25 down period each time said HTTP count exceeds said maximum HTTP request count. 
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20. The program storage device of claim 19 wherein said hold-down period increases 
exponentially each time said HTTP count exceeds said maximum HTTP request 
count. 

5 

21. The program storage device of claim 12 wherein said filtering further comprises 
indicating said request is unauthorized when the HTTP request frequency exceeds a 
maximum HTTP request frequency. 

10 22. The program storage device of claim 12 wherein said filtering further comprises 

indicating said request is unauthorized when the frequency of HTTP requests for said 
URL exceeds a maximum HTTP request frequency. 

23. An apparatus for preventing denial of service attacks against Hypertext Transfer 
15 Protocol (HTTP) servers, the apparatus comprising: 

means for receiving a HTTP request from a subscriber using a first communication 
network coupled to at least one other communication network, said request 
including a Universal Resource Locator (URL); 
means for receiving a profile for said subscriber; 
20 means for filtering to determine whether said subscriber is authorized to make said 
request based upon said profile; and 
means for forwarding said request to said at least one other communication network 
when said subscriber is authorized to make said request. 
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24. The apparatus of claim 23 wherein said means for filtering further comprises: 
means for updating a client HTTP request count when said request is a HTTP "GET" 

request or a HTTP "POST" request; and 
5 means for applying HTTP server attack preventative measures when said request 

count exceeds a maximum HTTP request count. 

25. The apparatus of claim 24 wherein said means for applying further comprises means 
for setting an alarm when said request count exceeds said maximum HTTP request 

10 count. 

26. The apparatus of claim 25, further comprising means for sending said alarm to an 
Internet Service Provider (ISP) associated with said subscriber. 

15 27. The apparatus of claim 24 wherein said means for applying further comprises means 
for dropping the data packet containing said request when said request count exceeds 
said maximum HTTP request count. 

28. The apparatus of claim 24 wherein said means for applying further comprises means 
20 for shutting down the account used to access said first communication network when 
said request count exceeds said maximum HTTP request count. 
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29. The apparatus of claim 28 wherein said means for applying further comprises means 
for disabling HTTP requests for a hold-down period when said request count exceeds 
said maximum HTTP request count. 

5 

30. The apparatus of claim 29, further comprising means for increasing said hold-down 
period each time said HTTP count exceeds said maximum HTTP request count. 

31. The apparatus of claim 30 wherein said hold-down period increases exponentially 
10 each time said HTTP count exceeds said maximum HTTP request count. 

32. The apparatus of claim 23 wherein said means for filtering further comprises means 
for indicating said request is unauthorized when the HTTP request frequency exceeds 
a maximum HTTP request frequency. 

15 

33. The apparatus of claim 23 wherein said filtering further comprises means for 
indicating said request is unauthorized when the frequency of HTTP requests for said 
URL exceeds a maximum HTTP request frequency. 

20 34. An apparatus capable of preventing denial of service attacks against Hypertext 
Transfer Protocol (HTTP) servers, said apparatus comprising: 
a profile request generator capable of generating a profile request based upon a HTTP 
request received from a subscriber using a first communication network, said 
request including a Universal Resource Locator (URL); 
25 a filter capable of determining whether said request is authorized based upon said 

requested profile; and 
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an authorizer capable of allowing said request said request to be forwarded on at least 
one other communication network coupled to said first communication network. 



5 35. The apparatus of claim 34, further comprising: 

a first receiving interface capable of accepting said request; 

a first forwarding interface capable of sending said profile request to an AAA server; 

a second receiving interface capable of accepting a requested profile; and 

a second forwarding interface capable of forwarding said request on said at least one 
1 0 other communication network. 

36. The apparatus of claim 35 wherein said filter further comprises: 

an updater to update a client HTTP request count when said request is a HTTP 
"GET" request or a HTTP "POST" request; and 
15 a responder to apply HTTP server attack preventative measures when said request 
count exceeds a maximum HTTP request count. 

37. The apparatus of claim 36 wherein said responder further sets an alarm when said 
request count exceeds a maximum HTTP request count. 

20 

38. The apparatus of claim 36 wherein said responder sends said alarm to an Internet 
Service Provider (ISP) associated with said subscriber. 
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39. The apparatus of claim 36 wherein said responder drops the data packet containing 
said request when said request count exceeds a maximum HTTP request count. 



5 40. The apparatus of claim 36 wherein said responder shuts down the account used to 
access said first communication network when said request count exceeds a 
maximum HTTP request count. 

The apparatus of claim 40 wherein said responder disables HTTP requests for a hold- 
down period when said request count exceeds a maximum HTTP request count. 

The apparatus of claim 41 wherein said responder increases said hold-down period 
each time said HTTP count exceeds said maximum HTTP request count. 

The apparatus of claim 42 wherein said responder increases said hold-down period 
exponentially each time said HTTP count exceeds said maximum HTTP request 
count. 

20 44. The apparatus of claim 34 wherein said filter further indicates said request is 

unauthorized when the HTTP request frequency exceeds a maximum HTTP request 
frequency. 

45. The apparatus of claim 34 wherein said filter indicates said request is unauthorized 
25 when the frequency of HTTP requests for said URL exceeds a maximum HTTP 
request frequency. 
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